31c3 - A New Dawn

Another year, another c3

This year marked my 11th year of congress (and 10th visit with a short hiatus in 2012). Just like all the years before we headed to the conference location a day before the start of the 31c3. After arriving in Hamburg (after a quick detour through the Lufthansa lounge in Frankfurt with super decent food) we checked in at the hostel and headed to the CCH, the conference location. After Lumi got her ticket we headed in and explored the assembly area where a lot of fancy stuff was already set up.


While there were tons of awesome art projects, old gaming machines, and other fancy decoration we felt that cozy seating areas were missing. In the last couple of years we loved to chill on the widely available couches. This year there were only few couches available and there was usually a super long wait to score some. But then again, the congress is facing exponential growth (Club of Rome anyone?) and it is now at more than 12,000 attendees (from around 3,000 attendees 4 years ago) and there's just not more space available.

The 5 talks I appreciated most are:

  • Iridium Pager Hacking -- Sec, schneider
  • Mining for Bugs with Graph Database Queries -- fabs
  • Thunderstrike: EFI bootkits for Apple MacBooks -- Trammell Hudson
  • The Perl Jam: Exploiting a 20 Year-old Vulnerability -- Netanel Rubin
  • Why are computers so @#!*, and what can we do about it? -- Peter Sewell
  • and obviously my talk on Code-Pointer Integrity...

Wir beteiligen uns aktiv an den Diskussionen -- Martin Haase

This was the first talk I watched and maha was awesome as always discussing fine lines of political arguments and how you can guide and lead the willing audience.

SCADA StrangeLove: Too Smart Grid in da Cloud -- Sergey Gordeychik, Aleksandr Timorin

From the soft skill talk by maha we moved on to a more technical talk about the continuously bad shape of SCADA system, including many nice details on their insecurities and how to pwn the systems.

Glitching For n00bs -- exide

Some details on voltage glitching, playing with frequency shifts, and so on the get around ROM limitations and force specific execution patterns. Nice introduction to glitching but nothing earth shattering.

Code Pointer Integrity -- gannimo

My talk on Code-Pointer Integrity, a defense mechanism we developed to protect low level code written in C or C++ against control-flow hijack attacks.

AMD x86 SMU firmware analysis -- Rudolf Marek

There are bugs in low level firmwares, who would have thought?

Crypto Tales from the Trenches

This panel lead by Nadia Heninger featured a bunch of journalists (Julia Angwin, Laura Poitras, Jack Gillum) and discussed how "real people" use crypto software to protect themselves against governmental spying.

Citizenfour -- Laura Poitras

If you haven't seen the movie about the Edward Snowden leaks and how they exchanged data. The movie sheds some more light on the person behind the leaks and discusses some of the motivations. Great movie, go watch it!

Iridium Pager Hacking -- Sec, schneider

Sec and schneider reverse engineered the Iridium text message protocol and starting from a USRP radio they developed a cheap method to capture all messages in an area using a super cheap software defined radio. It was especially interesting to peek into their thought process and reverse engineering efforts to get behind the protocol details and to decode the actual messages. This was an awesome talk and I really enjoyed the workshop that they organized right after the talk. I feel that I learned a lot (especially about gnuradio quirks).

Mining for Bugs with Graph Database Queries -- fabs

Fabs rehashed his Oakland'14 talk and added a bunch of fresh VLC bugs and a longer discussion on the topic to make it more approachable to hackers. I really appreciate that he open-sourced the full framework and is super open to other hackers playing with his graph search database. The idea is that you have a super simple parser that churns through a bunch of code (without compiling it) pipes it into a graph database and allows you to query for specific patterns on a combined control-flow, program-dependence, and partial data-flow graph. Using all these combined graphs you can formulate super complex queries that hint at specific bugs and reduce the amount of code that you have to audit for 0days.

Fernvale: An Open Hardware and Software Platform, Based on the (nominally) Closed-Source MT6260 SoC -- bunnie, Xobs

Bunnie introduced their research engineering efforts into a super cheap ARM/GSM hardware project. The talk was awesome and it is best if you watch it and read his blog post

The Matter of Heartbleed -- Zakir Durumeric and Heartache and Heartbleed: The insider's perspective on the aftermath of Heartbleed -- Nick Sullivan

Awesome wrap up of heartbleed and how we analyzed and scanned a large part of the internet to ensure that people actually patch the vulnerability. Great super compact talk by Zakir and you might also want to read the paper.

Nick then discussed the CloudFlare challenge that they did but surprisingly he reformulated the challenge and presented CloudFlare in a much better light. CloudFlare challenged that hackers try to exploit the vulnerability and it sounded as if they were super sure that using their allocator made the vulnerability unexploitable while in the talk Nick presented it as a crowd-sourcing approach to find a working exploit. Anyways, the talk was interesting to follow and allowed closure on heartbleed.

Fnord News Show -- Frank, fefe

The Fnord news show was awesome as always. We enjoyed the show and -- as always -- were surprised by all the crap that happened during the year. It is sad with what kind of atrocities the politicians get away.

EMET 5.1 - Armor or Curtain? -- Rene Freingruber

Overview on EMET 5.1 and how you can break all defense mechanisms like ASLR, DEP, and different forms of canaries. The talk did not offer any surprises but it was nice to get an overview of the exploit techniques he used (ROPing and info-leaking away).

DP5: PIR for Privacy-preserving Presence -- Ian Goldberg, George Danezis, Nikita Borisov

Talk on how to use private information retrieval and how to connect anonymous (or semi-anonymous) entities for secure data exchange. This technique protects against graph similarities and breaking (pseudo-)anonymity by correlating social graphs.

Thunderstrike: EFI bootkits for Apple MacBooks -- Trammell Hudson

Exploiting and pwning the firmware of your MacBook using a 2 year old bug and a 20 year old legacy feature, connecting a malicious device to the Thunderbolt PCI bus, intercepting the boot process and injecting your own code into the firmware, circumventing all Apple verification. Existing devices will always be vulnerable to downgrade attacks, newer devices can be protected (by not exposing vulnerable older firmwares).

The Perl Jam: Exploiting a 20 Year-old Vulnerability -- Netanel Rubin

Awesome talk on lists in perl and how they can be used to overwrite arguments in functions when they are expanded. This is a must watch, part for the explicit language, the awesome camel pictures, and all the great WATs.

UNHash - Methods for better password cracking -- Tonimir Kisasondi

The search space for long passwords is huge, Tonimir looked at specific ways to guide the search to reap some low hanging fruits and find longer passwords faster. He looked at password leaks and came up with different form of combinations and how passwords are constructed from a human perspective, targeting such passwords using different word lists explicitly.

Infocalypse now: P0wning stuff is not enough -- Walter van Holst

Walter presented a very meta talk on the infocalypse.

Why are computers so @#!*, and what can we do about it? -- Peter Sewell

Awesome talk by Peter talking us on a wild ride through 60 years of abstractions in computer architecture, building layer upon layer of the software stack, featuring memory coherency questions and arguing in favor of verified interfaces. All layers should be verified, formally proven, and protected at all times. He is interested in coming up with formal descriptions of the interfaces that are amenable to testing and can actually be used in practice.

State of the Onion -- Jacob, arma

Jacob and arma present the current status of the Tor project, discuss the growth in bandwidth, governmental attacks, and other kind of quirks that the Tor project faces on a daily basis.

Missed talks

Due to overcrowding I was unable to watch the following talks. Of all the talks I heard great things and they are on my watch list for my next couple of flights:

  • Practical EMV PIN interception and fraud detection -- Andrea Barisani
  • Revisiting SSL/TLS Implementations -- Sebastian Schinzel
  • SS7: Locate. Track. Manipulate. -- Tobias Engel
  • ECCHacks -- djb, Tanja Lange
  • Beyond PNR: Exploring airline systems -- saper
  • Security Analysis of Estonia's Internet Voting System -- J. Alex Halderman
  • Preserving arcade games -- Ange Albertini
  • Attacks on UEFI security, inspired by Darth Venamis's misery and Speed Racer -- Rafal Wojtczuk, Corey Kallenberg
  • CAESAR and NORX -- Philipp Jovanovic, aumasson

Good bye 31c3

It was a pleasure, good bye Hamburg, and see you next year!